aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-10-10 10:16:33 -0400
committerPaul Moore <paul.moore@hp.com>2008-10-10 10:16:33 -0400
commit6c5b3fc0147f79d714d2fe748b5869d7892ef2e7 (patch)
tree2cff691b2d4da2afd69660cb4ee647f6b553cdf9
parent014ab19a69c325f52d7bae54ceeda73d6307ae0c (diff)
selinux: Cache NetLabel secattrs in the socket's security struct
Previous work enabled the use of address based NetLabel selectors, which while highly useful, brought the potential for additional per-packet overhead when used. This patch attempts to mitigate some of that overhead by caching the NetLabel security attribute struct within the SELinux socket security structure. This should help eliminate the need to recreate the NetLabel secattr structure for each packet resulting in less overhead. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org>
-rw-r--r--security/selinux/hooks.c1
-rw-r--r--security/selinux/include/netlabel.h7
-rw-r--r--security/selinux/include/objsec.h7
-rw-r--r--security/selinux/netlabel.c115
4 files changed, 91 insertions, 39 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 632ac3e80a61..3aa811eba25b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -291,6 +291,7 @@ static void sk_free_security(struct sock *sk)
291 struct sk_security_struct *ssec = sk->sk_security; 291 struct sk_security_struct *ssec = sk->sk_security;
292 292
293 sk->sk_security = NULL; 293 sk->sk_security = NULL;
294 selinux_netlbl_sk_security_free(ssec);
294 kfree(ssec); 295 kfree(ssec);
295} 296}
296 297
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 982bac0ac328..b913c8d06038 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -41,6 +41,7 @@ void selinux_netlbl_cache_invalidate(void);
41 41
42void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway); 42void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway);
43 43
44void selinux_netlbl_sk_security_free(struct sk_security_struct *ssec);
44void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, 45void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
45 int family); 46 int family);
46 47
@@ -77,6 +78,12 @@ static inline void selinux_netlbl_err(struct sk_buff *skb,
77 return; 78 return;
78} 79}
79 80
81static inline void selinux_netlbl_sk_security_free(
82 struct sk_security_struct *ssec)
83{
84 return;
85}
86
80static inline void selinux_netlbl_sk_security_reset( 87static inline void selinux_netlbl_sk_security_reset(
81 struct sk_security_struct *ssec, 88 struct sk_security_struct *ssec,
82 int family) 89 int family)
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index ad34787c6c02..f8be8d7fa26d 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -109,9 +109,6 @@ struct netport_security_struct {
109}; 109};
110 110
111struct sk_security_struct { 111struct sk_security_struct {
112 u32 sid; /* SID of this object */
113 u32 peer_sid; /* SID of peer */
114 u16 sclass; /* sock security class */
115#ifdef CONFIG_NETLABEL 112#ifdef CONFIG_NETLABEL
116 enum { /* NetLabel state */ 113 enum { /* NetLabel state */
117 NLBL_UNSET = 0, 114 NLBL_UNSET = 0,
@@ -120,7 +117,11 @@ struct sk_security_struct {
120 NLBL_REQSKB, 117 NLBL_REQSKB,
121 NLBL_CONNLABELED, 118 NLBL_CONNLABELED,
122 } nlbl_state; 119 } nlbl_state;
120 struct netlbl_lsm_secattr *nlbl_secattr; /* NetLabel sec attributes */
123#endif 121#endif
122 u32 sid; /* SID of this object */
123 u32 peer_sid; /* SID of peer */
124 u16 sclass; /* sock security class */
124}; 125};
125 126
126struct key_security_struct { 127struct key_security_struct {
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index b22b7dafa0e3..f58701a7b728 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -68,6 +68,38 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
68} 68}
69 69
70/** 70/**
71 * selinux_netlbl_sock_genattr - Generate the NetLabel socket secattr
72 * @sk: the socket
73 *
74 * Description:
75 * Generate the NetLabel security attributes for a socket, making full use of
76 * the socket's attribute cache. Returns a pointer to the security attributes
77 * on success, NULL on failure.
78 *
79 */
80static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk)
81{
82 int rc;
83 struct sk_security_struct *sksec = sk->sk_security;
84 struct netlbl_lsm_secattr *secattr;
85
86 if (sksec->nlbl_secattr != NULL)
87 return sksec->nlbl_secattr;
88
89 secattr = netlbl_secattr_alloc(GFP_ATOMIC);
90 if (secattr == NULL)
91 return NULL;
92 rc = security_netlbl_sid_to_secattr(sksec->sid, secattr);
93 if (rc != 0) {
94 netlbl_secattr_free(secattr);
95 return NULL;
96 }
97 sksec->nlbl_secattr = secattr;
98
99 return secattr;
100}
101
102/**
71 * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism 103 * selinux_netlbl_sock_setsid - Label a socket using the NetLabel mechanism
72 * @sk: the socket to label 104 * @sk: the socket to label
73 * 105 *
@@ -80,17 +112,15 @@ static int selinux_netlbl_sock_setsid(struct sock *sk)
80{ 112{
81 int rc; 113 int rc;
82 struct sk_security_struct *sksec = sk->sk_security; 114 struct sk_security_struct *sksec = sk->sk_security;
83 struct netlbl_lsm_secattr secattr; 115 struct netlbl_lsm_secattr *secattr;
84 116
85 if (sksec->nlbl_state != NLBL_REQUIRE) 117 if (sksec->nlbl_state != NLBL_REQUIRE)
86 return 0; 118 return 0;
87 119
88 netlbl_secattr_init(&secattr); 120 secattr = selinux_netlbl_sock_genattr(sk);
89 121 if (secattr == NULL)
90 rc = security_netlbl_sid_to_secattr(sksec->sid, &secattr); 122 return -ENOMEM;
91 if (rc != 0) 123 rc = netlbl_sock_setattr(sk, secattr);
92 goto sock_setsid_return;
93 rc = netlbl_sock_setattr(sk, &secattr);
94 switch (rc) { 124 switch (rc) {
95 case 0: 125 case 0:
96 sksec->nlbl_state = NLBL_LABELED; 126 sksec->nlbl_state = NLBL_LABELED;
@@ -101,8 +131,6 @@ static int selinux_netlbl_sock_setsid(struct sock *sk)
101 break; 131 break;
102 } 132 }
103 133
104sock_setsid_return:
105 netlbl_secattr_destroy(&secattr);
106 return rc; 134 return rc;
107} 135}
108 136
@@ -137,6 +165,20 @@ void selinux_netlbl_err(struct sk_buff *skb, int error, int gateway)
137} 165}
138 166
139/** 167/**
168 * selinux_netlbl_sk_security_free - Free the NetLabel fields
169 * @sssec: the sk_security_struct
170 *
171 * Description:
172 * Free all of the memory in the NetLabel fields of a sk_security_struct.
173 *
174 */
175void selinux_netlbl_sk_security_free(struct sk_security_struct *ssec)
176{
177 if (ssec->nlbl_secattr != NULL)
178 netlbl_secattr_free(ssec->nlbl_secattr);
179}
180
181/**
140 * selinux_netlbl_sk_security_reset - Reset the NetLabel fields 182 * selinux_netlbl_sk_security_reset - Reset the NetLabel fields
141 * @ssec: the sk_security_struct 183 * @ssec: the sk_security_struct
142 * @family: the socket family 184 * @family: the socket family
@@ -209,7 +251,8 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
209 u32 sid) 251 u32 sid)
210{ 252{
211 int rc; 253 int rc;
212 struct netlbl_lsm_secattr secattr; 254 struct netlbl_lsm_secattr secattr_storage;
255 struct netlbl_lsm_secattr *secattr = NULL;
213 struct sock *sk; 256 struct sock *sk;
214 257
215 /* if this is a locally generated packet check to see if it is already 258 /* if this is a locally generated packet check to see if it is already
@@ -219,16 +262,21 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
219 struct sk_security_struct *sksec = sk->sk_security; 262 struct sk_security_struct *sksec = sk->sk_security;
220 if (sksec->nlbl_state != NLBL_REQSKB) 263 if (sksec->nlbl_state != NLBL_REQSKB)
221 return 0; 264 return 0;
265 secattr = sksec->nlbl_secattr;
266 }
267 if (secattr == NULL) {
268 secattr = &secattr_storage;
269 netlbl_secattr_init(secattr);
270 rc = security_netlbl_sid_to_secattr(sid, secattr);
271 if (rc != 0)
272 goto skbuff_setsid_return;
222 } 273 }
223 274
224 netlbl_secattr_init(&secattr); 275 rc = netlbl_skbuff_setattr(skb, family, secattr);
225 rc = security_netlbl_sid_to_secattr(sid, &secattr);
226 if (rc != 0)
227 goto skbuff_setsid_return;
228 rc = netlbl_skbuff_setattr(skb, family, &secattr);
229 276
230skbuff_setsid_return: 277skbuff_setsid_return:
231 netlbl_secattr_destroy(&secattr); 278 if (secattr == &secattr_storage)
279 netlbl_secattr_destroy(secattr);
232 return rc; 280 return rc;
233} 281}
234 282
@@ -245,18 +293,18 @@ void selinux_netlbl_inet_conn_established(struct sock *sk, u16 family)
245{ 293{
246 int rc; 294 int rc;
247 struct sk_security_struct *sksec = sk->sk_security; 295 struct sk_security_struct *sksec = sk->sk_security;
248 struct netlbl_lsm_secattr secattr; 296 struct netlbl_lsm_secattr *secattr;
249 struct inet_sock *sk_inet = inet_sk(sk); 297 struct inet_sock *sk_inet = inet_sk(sk);
250 struct sockaddr_in addr; 298 struct sockaddr_in addr;
251 299
252 if (sksec->nlbl_state != NLBL_REQUIRE) 300 if (sksec->nlbl_state != NLBL_REQUIRE)
253 return; 301 return;
254 302
255 netlbl_secattr_init(&secattr); 303 secattr = selinux_netlbl_sock_genattr(sk);
256 if (security_netlbl_sid_to_secattr(sksec->sid, &secattr) != 0) 304 if (secattr == NULL)
257 goto inet_conn_established_return; 305 return;
258 306
259 rc = netlbl_sock_setattr(sk, &secattr); 307 rc = netlbl_sock_setattr(sk, secattr);
260 switch (rc) { 308 switch (rc) {
261 case 0: 309 case 0:
262 sksec->nlbl_state = NLBL_LABELED; 310 sksec->nlbl_state = NLBL_LABELED;
@@ -266,13 +314,13 @@ void selinux_netlbl_inet_conn_established(struct sock *sk, u16 family)
266 * labeling protocols */ 314 * labeling protocols */
267 if (family != PF_INET) { 315 if (family != PF_INET) {
268 sksec->nlbl_state = NLBL_UNSET; 316 sksec->nlbl_state = NLBL_UNSET;
269 goto inet_conn_established_return; 317 return;
270 } 318 }
271 319
272 addr.sin_family = family; 320 addr.sin_family = family;
273 addr.sin_addr.s_addr = sk_inet->daddr; 321 addr.sin_addr.s_addr = sk_inet->daddr;
274 if (netlbl_conn_setattr(sk, (struct sockaddr *)&addr, 322 if (netlbl_conn_setattr(sk, (struct sockaddr *)&addr,
275 &secattr) != 0) { 323 secattr) != 0) {
276 /* we failed to label the connected socket (could be 324 /* we failed to label the connected socket (could be
277 * for a variety of reasons, the actual "why" isn't 325 * for a variety of reasons, the actual "why" isn't
278 * important here) so we have to go to our backup plan, 326 * important here) so we have to go to our backup plan,
@@ -300,10 +348,6 @@ void selinux_netlbl_inet_conn_established(struct sock *sk, u16 family)
300 * return an error code */ 348 * return an error code */
301 break; 349 break;
302 } 350 }
303
304inet_conn_established_return:
305 netlbl_secattr_destroy(&secattr);
306 return;
307} 351}
308 352
309/** 353/**
@@ -468,13 +512,12 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
468{ 512{
469 int rc; 513 int rc;
470 struct sk_security_struct *sksec = sk->sk_security; 514 struct sk_security_struct *sksec = sk->sk_security;
471 struct netlbl_lsm_secattr secattr; 515 struct netlbl_lsm_secattr *secattr;
472 516
473 if (sksec->nlbl_state != NLBL_REQSKB && 517 if (sksec->nlbl_state != NLBL_REQSKB &&
474 sksec->nlbl_state != NLBL_CONNLABELED) 518 sksec->nlbl_state != NLBL_CONNLABELED)
475 return 0; 519 return 0;
476 520
477 netlbl_secattr_init(&secattr);
478 local_bh_disable(); 521 local_bh_disable();
479 bh_lock_sock_nested(sk); 522 bh_lock_sock_nested(sk);
480 523
@@ -487,17 +530,17 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
487 rc = 0; 530 rc = 0;
488 goto socket_connect_return; 531 goto socket_connect_return;
489 } 532 }
490 rc = security_netlbl_sid_to_secattr(sksec->sid, &secattr); 533 secattr = selinux_netlbl_sock_genattr(sk);
491 if (rc != 0) 534 if (secattr == NULL) {
535 rc = -ENOMEM;
492 goto socket_connect_return; 536 goto socket_connect_return;
493 rc = netlbl_conn_setattr(sk, addr, &secattr); 537 }
494 if (rc != 0) 538 rc = netlbl_conn_setattr(sk, addr, secattr);
495 goto socket_connect_return; 539 if (rc == 0)
496 sksec->nlbl_state = NLBL_CONNLABELED; 540 sksec->nlbl_state = NLBL_CONNLABELED;
497 541
498socket_connect_return: 542socket_connect_return:
499 bh_unlock_sock(sk); 543 bh_unlock_sock(sk);
500 local_bh_enable(); 544 local_bh_enable();
501 netlbl_secattr_destroy(&secattr);
502 return rc; 545 return rc;
503} 546}